Microsoft Gives Vulnerability Data To US Intelligence Before The Public

Tom Brewster is TechWeek Europe’s Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

US being supplied with troves of data that could be used in cyber attacks, thanks to tech firms’ vulnerability disclosure policies

Microsoft is giving preference to US intelligence agencies by sharing software vulnerability information with them before the wider public.

The fear is that US government could weaponise the flaws to attack machines, either based in the US or outside, running Microsoft software, taking advantage of the fact that everyone else will be vulnerable.

Iris-ScanMicrosoft was named as one of the suppliers into the PRISM initiative, a US National Security Agency (NSA) project to gain user data from Internet giants, exposed by whistle-blower Edward Snowden. It has a good relationship with American law enforcement, often working with the FBI and others to shut down cyber threats, as with the recent offensive on the Citadel botnet.

But some in the security industry have lambasted firms who don’t deliver vulnerability information to individuals and organisations at the same time as they notify other parties. Firms such as VUPEN have been criticised for never telling the wider public about the flaws it finds, as it normally only reveals vulnerability data to its customers.

Microsoft vulnerability disclosure

A report in Bloomberg, citing two people familiar with the process, claimed Microsoft gave information on flaws in its software to intelligence agencies before releasing information to the public.

Two officials said Microsoft is not made aware of how the vulnerabilities are used. Yet a spokesperson for the company said the tip-offs were designed to give agencies “an early start” for protecting US government systems.

Intel’s McAfee was also named in the report as a close collaborator with US government. Michael Fey, the company’s worldwide chief technology officer, said the company did not share any kind of personal data with US government, but simply shared a lot of threat intelligence.

At the time of publication, Microsoft had not responded to a request for comment.VUPEN CEO, Chaouki Bekrar, told TechWeekEurope he believed Microsoft provided technical details about the vulnerabilities and how to defend against them, “which is enough for a government agency to internally (or potentially with help of companies such as VUPEN) turn the defensive information into offensive and weaponised exploits.”

Other companies are thought to be doing the same as Microsoft, causing even more worry.

“For the companies to be handing over vulnerabilities before they are known by others is going to raise concerns.  I can understand those who will say ‘we should all be advised at the same time’,” Professor Alan Woodward,  from the Department of Computing at the University of Surrey, told TechWeekEurope.

“Just as with other recent revelations, we may need to wait for the full details to emerge before drawing our final conclusions.

“What has been stated so far is that companies tell the US government of vulnerabilities before they are fixed.  That does not necessarily imply that they are deliberately trying to create a window of opportunity for the government to exploit such vulnerability. If that were their intention I would be concerned.

“But, in the current climate of public opinion following the Snowden case, I suspect people will draw the most conspiratorial inference from any information that is released about how governments and big IT firms collaborate.”

UPDATE: A Microsoft spokesperson sent TechWeek the following comment: “Microsoft has several programs through which we disclose information regarding vulnerabilities, some of which have government participants. Prior to any fix being released to the ~1bn computers that receive automatic security updates each month, Microsoft communicates with program participants after our engineering cycle is completed to ensure delivery of the most current information. While timing varies slightly each month, disclosure takes place just prior to our security update for billions of customers.

“One example is our Microsoft Active Protections Program (MAPP), which supplies Microsoft vulnerability information to security software partners prior to Microsoft’s monthly security update release so partners can build enhanced customer protections.

“Another example of information sharing is the Security Cooperation Program (SCP) for governments. Membership provides key technical information on security vulnerabilities prior to the security update being publicly available.”

Microsoft said the US intelligence agencies did not receive information before other governments on the SCP.

What do you know about Internet security? Find out with our quiz!